Following the report of the Operation Triangulation campaign targeting iOS devices, Kaspersky experts shed light on the details of the spyware used in the attack.
Dubbed TriangleDB, the software gives attackers covert surveillance capabilities. It only works in memory, ensuring all traces of it will be erased when the device is restarted
Earlier, Kaspersky reported on a new mobile APT (Advanced Persistent Threat) campaign targeting iOS devices via iMessage. Following a six-month investigation, Kaspersky researchers have published an in-depth analysis of the exploit chain and a detailed exploration of spyware infection activity.
The software, called TriangleDB, is deployed by exploiting a vulnerability to gain root privileges on iOS devices. Once launched, it only works in the device’s memory, so traces of the infection will disappear when the device reboots. So, if the victim reboots the device, the attacker needs to re-infect the device by sending another iMessage with the malicious attachment, starting the whole exploit again.
If the device does not reboot, the software will automatically uninstall after 30 days, unless the attackers extend this time. Acting as sophisticated spyware, TriangleDB performs many data collection and monitoring capabilities.
The software includes 24 commands with diverse functions. These commands serve a variety of purposes, such as interacting with the device’s file system (including creating files, modifying, extracting, and deleting), managing processes (enumerate and terminate), extracting strings to collect the victim’s credentials, and monitoring the victim’s geolocation.
While analyzing TriangleDB, Kaspersky experts discovered that the CRConfig class contains an unused method named popatedWithFieldsMacOSOnly. Although not used in iOS infections, its presence indicates its ability to target macOS devices.
Georgy Kucherin, a security expert at Global Research and Analysis Team, Kaspersky said: “When digging deeper into the attack, we discovered that this sophisticated iOS infection has many strange features. We continue to analyze the campaign and will update everyone with information. We’re calling on the cybersecurity community to come together to share knowledge and collaborate to get a clearer picture of the threats out there.”
